On Fri, Aug 18, 2000 at 01:57:03AM -0500, Scott G. Miller wrote: > > There needs to be additional security here, otherwise everyone who share > > the same ip range can pretend to be each other easily. Perhaps a some kind > > of random string or timestamp included in message to make it onetime or > > atleast short lived. > Yeah, I thought about that. Clever of you to pick up on it as well. It > doesnt matter though, since the other people in the IP range won't share > the same key, so they can't really pretend, though they will cause > false-rejects. Perhaps in combination with ARKs this would work okay.
I must be decidedly unclever here, because I don't understand what the issue is at all. In Freenet node addressing scheme as it would be with PKI and ARK, the identifier for a node would be the PK fingerprint. That the node one was talking to used the public key to which the fingerprint belonged would be verified at each connection, and be the one and only requirement for considering yourself to be speaking to the node for which an address corresponds. In fact, we would probably be best off making the Address model more complete, so the DataSource part of a message might look like: DataSource.Fingerprint=ababab12344378985de DataSource.Number=A6 DataSource.physical.tcp=tcp/192.168.1.1:1234 DataSource.physical.tcp-ipv6=ipv6/aaaa:bbbb:cccc:dddd:1234 DataSource.physical.inuit-smoke-signal=loc/77?12'45''N44?32'3''W DataSource.physical.pots-zmodem=pots/+6217250027 etc. Connections to any of the addresses would be authenticated to have that fingerprint, so how could it matter if somebody moved into the same ip range or if another group of Eskimos took over that particular igloo? If a connection to one of the addresses listed failed, the node would give the address to the ARK thread, which goes back to look up ARK(ababab12344378985de,A7) to see if there is an updated answer there. If there is, the data would of course be expected to have the same fingerprint (and be signed by the actual pk), and whatever new physical addresses were found would still also be expected to authenticate themselves just like before. > -- \oskar _______________________________________________ Freenet-dev mailing list Freenet-dev at lists.sourceforge.net http://lists.sourceforge.net/mailman/listinfo/freenet-dev
